lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

block: Fix use-after-free while iterating over requests

Browse Source 
During request completion and if there are no more references,
update the free request with NULL. This could avoid accessing
the already free request from other contexts while iterating
over the requests.

Change-Id: If3593d8397f510821e1d2ca89f5e0af9d19d57e1
Signed-off-by: Pradeep P V K <ppvk@codeaurora.org>
This commit is contained in:
Pradeep P V K 2020-11-24 16:43:06 +05:30
parent 58329ca148
commit 10ee57c29e
2 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
block/blk-mq.c
View File

@ -497,6 +497,7 @@ static void __blk_mq_free_request(struct request *rq)
const int sched_tag = rq->internal_tag;
blk_pm_mark_last_busy(rq);
hctx->tags->rqs[rq->tag] = NULL;
rq->mq_hctx = NULL;
if (rq->tag != -1)
blk_mq_put_tag(hctx, hctx->tags, ctx, rq->tag);

2
block/blk-mq.h
View File

@ -209,6 +209,7 @@ static inline bool blk_mq_get_dispatch_budget(struct blk_mq_hw_ctx *hctx)
static inline void __blk_mq_put_driver_tag(struct blk_mq_hw_ctx *hctx,
struct request *rq)
{
hctx->tags->rqs[rq->tag] = NULL;
blk_mq_put_tag(hctx, hctx->tags, rq->mq_ctx, rq->tag);
rq->tag = -1;
@ -222,7 +223,6 @@ static inline void blk_mq_put_driver_tag(struct request *rq)
{
if (rq->tag == -1 || rq->internal_tag == -1)
return;
__blk_mq_put_driver_tag(rq->mq_hctx, rq);
}